Retirement of RBAC Application Impersonation in Exchange Online
Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts starting in May 2024, and that in February 2025, we will completely remove this role and its feature set from Exchange Online.
Modernizing Application Access
Historically, when you needed to grant an application access to more than its own mailbox in your Exchange organization using Exchange Web Services (EWS), you had limited options.
Simple delegation worked for one-to-one and even some one-to-few scenarios, but when you needed to grant access to many mailboxes, Impersonation was the way to go. Impersonation provided easy and broad access to many mailboxes, but limited options for scoping resources for access, and limited visibility outside of Exchange.
Today, the Microsoft identity platform / application model is the standard way to build apps that integrate with your data in the Microsoft cloud. Registering your app in Microsoft Entra simplifies deployment and adoption, makes permissions clearly visible, and helps to standardize your integrated applications.
How Does This Affect Me?
All apps must have an App Registration, and when using Application permissions (not Delegated), the app must use a secure credential for access.
When using EWS, you still grant the full_access_as_app Application permission, which provides the same level of mailbox access as ApplicationImpersonation. You can use an Application Access Policy to restrict the resources the application can access. You can also use RBAC for Apps to restrict the resources it can access.
Better yet, use Graph, as EWS is going away!
How Do I Find Accounts Using This Type of Access and What Actions Should I Take?
Use Exchange Online PowerShell to check for accounts that have been assigned the ApplicationImpersonation role:
Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers
For EWS applications requiring 1 to many mailbox access, ensure the application is configured properly with OAuth to use App-only access.
Implement resource-scoped access using Application Access Policies or Role Based Access Control for Applications in Exchange Online to control mailbox access as needed for your scenario.
The Exchange Online Team
Microsoft Tech Community – Latest Blogs –Read More